]> git.zerfleddert.de Git - proxmark3-svn/blob - client/cmdlft55xx.c
projects / proxmark3-svn / blob
? search:


a05838b4a71d5e5b8b8fed4d88e7792724056fb0
[proxmark3-svn] / client / cmdlft55xx.c
1 //-----------------------------------------------------------------------------
2 //
3 // This code is licensed to you under the terms of the GNU GPL, version 2 or,
4 // at your option, any later version. See the LICENSE.txt file for the text of
5 // the license.
6 //-----------------------------------------------------------------------------
7 // Low frequency T55xx commands
8 //-----------------------------------------------------------------------------
9
10 #include "cmdlft55xx.h"
11
12 #include <stdio.h>
13 #include <string.h>
14 #include <inttypes.h>
15 #include <ctype.h>
16 #include <time.h>
17 #include "comms.h"
18 #include "ui.h"
19 #include "graph.h"
20 #include "cmdmain.h"
21 #include "cmdparser.h"
22 #include "cmddata.h"
23 #include "cmdlf.h"
24 #include "util.h"
25 #include "lfdemod.h"
26 #include "protocols.h"
27 #include "taginfo.h"
28
29 #define T55x7_CONFIGURATION_BLOCK 0x00
30 #define T55x7_PAGE0 0x00
31 #define T55x7_PAGE1 0x01
32 //#define T55x7_PWD 0x00000010
33 #define REGULAR_READ_MODE_BLOCK 0xFF
34
35 // Default configuration
36 t55xx_conf_block_t config = { .modulation = DEMOD_ASK, .inverted = false, .offset = 0x00, .block0 = 0x00, .Q5 = false };
37
38 t55xx_conf_block_t Get_t55xx_Config(){
39 return config;
40 }
41 void Set_t55xx_Config(t55xx_conf_block_t conf){
42 config = conf;
43 }
44
45 int usage_t55xx_config(){
46 PrintAndLog("Usage: lf t55xx config [d <demodulation>] [i 1] [o <offset>] [Q5]");
47 PrintAndLog("Options:");
48 PrintAndLog(" h This help");
49 PrintAndLog(" b <8|16|32|40|50|64|100|128> Set bitrate");
50 PrintAndLog(" d <FSK|FSK1|FSK1a|FSK2|FSK2a|ASK|PSK1|PSK2|NRZ|BI|BIa> Set demodulation FSK / ASK / PSK / NRZ / Biphase / Biphase A");
51 PrintAndLog(" i [1] Invert data signal, defaults to normal");
52 PrintAndLog(" o [offset] Set offset, where data should start decode in bitstream");
53 PrintAndLog(" Q5 Set as Q5(T5555) chip instead of T55x7");
54 PrintAndLog(" ST Set Sequence Terminator on");
55 PrintAndLog("");
56 PrintAndLog("Examples:");
57 PrintAndLog(" lf t55xx config d FSK - FSK demodulation");
58 PrintAndLog(" lf t55xx config d FSK i 1 - FSK demodulation, inverse data");
59 PrintAndLog(" lf t55xx config d FSK i 1 o 3 - FSK demodulation, inverse data, offset=3,start from position 3 to decode data");
60 PrintAndLog("");
61 return 0;
62 }
63 int usage_t55xx_read(){
64 PrintAndLog("Usage: lf t55xx read [b <block>] [p <password>] <override_safety> <page1>");
65 PrintAndLog("Options:");
66 PrintAndLog(" b <block> - block number to read. Between 0-7");
67 PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");
68 PrintAndLog(" o - OPTIONAL override safety check");
69 PrintAndLog(" 1 - OPTIONAL read Page 1 instead of Page 0");
70 PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");
71 PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference");
72 PrintAndLog(" ****WARNING****");
73 PrintAndLog(" Use of read with password on a tag not configured for a pwd");
74 PrintAndLog(" can damage the tag");
75 PrintAndLog("");
76 PrintAndLog("Examples:");
77 PrintAndLog(" lf t55xx read b 0 - read data from block 0");
78 PrintAndLog(" lf t55xx read b 0 p feedbeef - read data from block 0 password feedbeef");
79 PrintAndLog(" lf t55xx read b 0 p feedbeef o - read data from block 0 password feedbeef safety check");
80 PrintAndLog("");
81 return 0;
82 }
83 int usage_t55xx_write(){
84 PrintAndLog("Usage: lf t55xx write [b <block>] [d <data>] [p <password>] [1] [t]");
85 PrintAndLog("Options:");
86 PrintAndLog(" b <block> - block number to write. Between 0-7");
87 PrintAndLog(" d <data> - 4 bytes of data to write (8 hex characters)");
88 PrintAndLog(" p <password> - OPTIONAL password 4bytes (8 hex characters)");
89 PrintAndLog(" 1 - OPTIONAL write Page 1 instead of Page 0");
90 PrintAndLog(" t - OPTIONAL test mode write - ****DANGER****");
91 PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");
92 PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference");
93 PrintAndLog("");
94 PrintAndLog("Examples:");
95 PrintAndLog(" lf t55xx write b 3 d 11223344 - write 11223344 to block 3");
96 PrintAndLog(" lf t55xx write b 3 d 11223344 p feedbeef - write 11223344 to block 3 password feedbeef");
97 PrintAndLog("");
98 return 0;
99 }
100 int usage_t55xx_trace() {
101 PrintAndLog("Usage: lf t55xx trace [1]");
102 PrintAndLog("Options:");
103 PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");
104 PrintAndLog("");
105 PrintAndLog("Examples:");
106 PrintAndLog(" lf t55xx trace");
107 PrintAndLog(" lf t55xx trace 1");
108 PrintAndLog("");
109 return 0;
110 }
111 int usage_t55xx_info() {
112 PrintAndLog("Usage: lf t55xx info [1]");
113 PrintAndLog("Options:");
114 PrintAndLog(" [graph buffer data] - if set, use Graphbuffer otherwise read data from tag.");
115 PrintAndLog("");
116 PrintAndLog("Examples:");
117 PrintAndLog(" lf t55xx info");
118 PrintAndLog(" lf t55xx info 1");
119 PrintAndLog("");
120 return 0;
121 }
122 int usage_t55xx_dump(){
123 PrintAndLog("Usage: lf t55xx dump <password> [o]");
124 PrintAndLog("Options:");
125 PrintAndLog(" <password> - OPTIONAL password 4bytes (8 hex symbols)");
126 PrintAndLog(" o - OPTIONAL override, force pwd read despite danger to card");
127 PrintAndLog("");
128 PrintAndLog("Examples:");
129 PrintAndLog(" lf t55xx dump");
130 PrintAndLog(" lf t55xx dump feedbeef o");
131 PrintAndLog("");
132 return 0;
133 }
134 int usage_t55xx_detect(){
135 PrintAndLog("Usage: lf t55xx detect [1] [p <password>]");
136 PrintAndLog("Options:");
137 PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");
138 PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");
139 PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed bit length (default), '1' long leading reference");
140 PrintAndLog(" '2' leading zero, '3' 1 of 4 coding reference");
141 PrintAndLog("");
142 PrintAndLog("Examples:");
143 PrintAndLog(" lf t55xx detect");
144 PrintAndLog(" lf t55xx detect 1");
145 PrintAndLog(" lf t55xx detect p 11223344");
146 PrintAndLog("");
147 return 0;
148 }
149 int usage_t55xx_detectP1(){
150 PrintAndLog("Command: Detect Page 1 of a t55xx chip");
151 PrintAndLog("Usage: lf t55xx p1detect [1] [p <password>]");
152 PrintAndLog("Options:");
153 PrintAndLog(" 1 - if set, use Graphbuffer otherwise read data from tag.");
154 PrintAndLog(" p <password> - OPTIONAL password (8 hex characters)");
155 PrintAndLog("");
156 PrintAndLog("Examples:");
157 PrintAndLog(" lf t55xx p1detect");
158 PrintAndLog(" lf t55xx p1detect 1");
159 PrintAndLog(" lf t55xx p1detect p 11223344");
160 PrintAndLog("");
161 return 0;
162 }
163 int usage_t55xx_wakup(){
164 PrintAndLog("Usage: lf t55xx wakeup [h] <password>");
165 PrintAndLog("This commands send the Answer-On-Request command and leaves the readerfield ON afterwards.");
166 PrintAndLog("Options:");
167 PrintAndLog(" h - this help");
168 PrintAndLog(" <password> - [required] password 4bytes (8 hex symbols)");
169 PrintAndLog("");
170 PrintAndLog("Examples:");
171 PrintAndLog(" lf t55xx wakeup 11223344 - send wakeup password");
172 return 0;
173 }
174 int usage_t55xx_bruteforce(){
175 PrintAndLog("This command uses A) bruteforce to scan a number range");
176 PrintAndLog(" B) a dictionary attack");
177 PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");
178 PrintAndLog(" password must be 4 bytes (8 hex symbols)");
179 PrintAndLog("Options:");
180 PrintAndLog(" h - this help");
181 PrintAndLog(" <start_pwd> - 4 byte hex value to start pwd search at");
182 PrintAndLog(" <end_pwd> - 4 byte hex value to end pwd search at");
183 PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>");
184 PrintAndLog("");
185 PrintAndLog("Examples:");
186 PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb");
187 PrintAndLog(" lf t55xx bruteforce i default_pwd.dic");
188 PrintAndLog("");
189 return 0;
190 }
191 int usage_t55xx_bruteforce_downlink(){
192 PrintAndLog("This command uses A) bruteforce to scan a number range");
193 PrintAndLog(" B) a dictionary attack");
194 PrintAndLog("Usage: lf t55xx bruteforce <start password> <end password> [i <*.dic>]");
195 PrintAndLog(" password must be 4 bytes (8 hex symbols)");
196 PrintAndLog("Options:");
197 PrintAndLog(" h - this help");
198 PrintAndLog(" r <start_pwd> <end_pwd> - 4 byte hex value to start and end pwd search at");
199 PrintAndLog(" i <*.dic> - loads a default keys dictionary file <*.dic>");
200 PrintAndLog(" e <mode> - OPTIONAL downlink encoding '0' fixed bit length (default)");
201 PrintAndLog(" '1' long leading reference, '2' leading zero ");
202 PrintAndLog(" '3' 1 of 4 coding reference, '4' special - try all downlink modes");
203 PrintAndLog("");
204 PrintAndLog("Examples:");
205 PrintAndLog(" lf t55xx bruteforce aaaaaaaa bbbbbbbb");
206 PrintAndLog(" lf t55xx bruteforce i default_pwd.dic");
207 PrintAndLog("");
208 return 0;
209 }
210 int usage_t55xx_wipe(){
211 PrintAndLog("Usage: lf t55xx wipe [h] [Q5]");
212 PrintAndLog("This commands wipes a tag, fills blocks 1-7 with zeros and a default configuration block");
213 PrintAndLog("Options:");
214 PrintAndLog(" h - this help");
215 PrintAndLog(" Q5 - indicates to use the T5555 (Q5) default configuration block");
216 PrintAndLog("");
217 PrintAndLog("Examples:");
218 PrintAndLog(" lf t55xx wipe - wipes a t55x7 tag, config block 0x000880E0");
219 PrintAndLog(" lf t55xx wipe Q5 - wipes a t5555 Q5 tag, config block 0x6001F004");
220 return 0;
221 }
222
223
224 static int CmdHelp(const char *Cmd);
225
226 void printT5xxHeader(uint8_t page){
227 PrintAndLog("Reading Page %d:", page);
228 PrintAndLog("blk | hex data | binary");
229 PrintAndLog("----+----------+---------------------------------");
230 }
231
232 int CmdT55xxSetConfig(const char *Cmd) {
233
234 uint8_t offset = 0;
235 char modulation[6] = {0x00};
236 char tmp = 0x00;
237 uint8_t bitRate = 0;
238 uint8_t rates[9] = {8,16,32,40,50,64,100,128,0};
239 uint8_t cmdp = 0;
240 bool errors = false;
241 while(param_getchar(Cmd, cmdp) != 0x00 && !errors)
242 {
243 tmp = param_getchar(Cmd, cmdp);
244 switch(tmp)
245 {
246 case 'h':
247 case 'H':
248 return usage_t55xx_config();
249 case 'b':
250 errors |= param_getdec(Cmd, cmdp+1, &bitRate);
251 if ( !errors){
252 uint8_t i = 0;
253 for (; i < 9; i++){
254 if (rates[i]==bitRate) {
255 config.bitrate = i;
256 break;
257 }
258 }
259 if (i==9) errors = true;
260 }
261 cmdp+=2;
262 break;
263 case 'd':
264 param_getstr(Cmd, cmdp+1, modulation, sizeof(modulation));
265 cmdp += 2;
266
267 if ( strcmp(modulation, "FSK" ) == 0) {
268 config.modulation = DEMOD_FSK;
269 } else if ( strcmp(modulation, "FSK1" ) == 0) {
270 config.modulation = DEMOD_FSK1;
271 config.inverted=1;
272 } else if ( strcmp(modulation, "FSK1a" ) == 0) {
273 config.modulation = DEMOD_FSK1a;
274 config.inverted=0;
275 } else if ( strcmp(modulation, "FSK2" ) == 0) {
276 config.modulation = DEMOD_FSK2;
277 config.inverted=0;
278 } else if ( strcmp(modulation, "FSK2a" ) == 0) {
279 config.modulation = DEMOD_FSK2a;
280 config.inverted=1;
281 } else if ( strcmp(modulation, "ASK" ) == 0) {
282 config.modulation = DEMOD_ASK;
283 } else if ( strcmp(modulation, "NRZ" ) == 0) {
284 config.modulation = DEMOD_NRZ;
285 } else if ( strcmp(modulation, "PSK1" ) == 0) {
286 config.modulation = DEMOD_PSK1;
287 } else if ( strcmp(modulation, "PSK2" ) == 0) {
288 config.modulation = DEMOD_PSK2;
289 } else if ( strcmp(modulation, "PSK3" ) == 0) {
290 config.modulation = DEMOD_PSK3;
291 } else if ( strcmp(modulation, "BIa" ) == 0) {
292 config.modulation = DEMOD_BIa;
293 config.inverted=1;
294 } else if ( strcmp(modulation, "BI" ) == 0) {
295 config.modulation = DEMOD_BI;
296 config.inverted=0;
297 } else {
298 PrintAndLog("Unknown modulation '%s'", modulation);
299 errors = true;
300 }
301 break;
302 case 'i':
303 config.inverted = param_getchar(Cmd,cmdp+1) == '1';
304 cmdp+=2;
305 break;
306 case 'o':
307 errors |= param_getdec(Cmd, cmdp+1, &offset);
308 if ( !errors )
309 config.offset = offset;
310 cmdp+=2;
311 break;
312 case 'Q':
313 case 'q':
314 config.Q5 = true;
315 cmdp++;
316 break;
317 case 'S':
318 case 's':
319 config.ST = true;
320 cmdp++;
321 break;
322 default:
323 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
324 errors = true;
325 break;
326 }
327 }
328
329 // No args
330 if (cmdp == 0) return printConfiguration( config );
331
332 //Validations
333 if (errors) return usage_t55xx_config();
334
335 config.block0 = 0;
336 return printConfiguration ( config );
337 }
338
339 int T55xxReadBlock(uint8_t block, bool page1, bool usepwd, bool override, uint32_t password, uint8_t downlink_mode){
340 //Password mode
341 if ( usepwd ) {
342 // try reading the config block and verify that PWD bit is set before doing this!
343 if ( !override ) {
344 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, false, 0,downlink_mode ) ) return 0;
345 if ( !tryDetectModulation() ) {
346 PrintAndLog("Safety Check: Could not detect if PWD bit is set in config block. Exits.");
347 return 0;
348 } else {
349 PrintAndLog("Safety Check: PWD bit is NOT set in config block. Reading without password...");
350 usepwd = false;
351 page1 = false;
352 }
353 } else {
354 PrintAndLog("Safety Check Overriden - proceeding despite risk");
355 }
356 }
357
358 if (!AquireData(page1, block, usepwd, password,downlink_mode) ) return 0;
359 if (!DecodeT55xxBlock()) return 0;
360
361 char blk[10]={0};
362 sprintf(blk,"%d", block);
363 printT55xxBlock(blk);
364 return 1;
365 }
366
367 int CmdT55xxReadBlock(const char *Cmd) {
368 uint8_t block = REGULAR_READ_MODE_BLOCK;
369 uint32_t password = 0; //default to blank Block 7
370 uint8_t downlink_mode = 0;
371
372 bool usepwd = false;
373 bool override = false;
374 bool page1 = false;
375 bool errors = false;
376 uint8_t cmdp = 0;
377 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
378 switch(param_getchar(Cmd, cmdp)) {
379 case 'h':
380 case 'H':
381 return usage_t55xx_read();
382 case 'b':
383 case 'B':
384 errors |= param_getdec(Cmd, cmdp+1, &block);
385 cmdp += 2;
386 break;
387 case 'o':
388 case 'O':
389 override = true;
390 cmdp++;
391 break;
392 case 'p':
393 case 'P':
394 password = param_get32ex(Cmd, cmdp+1, 0, 16);
395 usepwd = true;
396 cmdp += 2;
397 break;
398 case '1':
399 page1 = true;
400 cmdp++;
401 break;
402 case 'e':
403 case 'E':
404 downlink_mode = param_getchar(Cmd, cmdp+1) - '0';
405 if (downlink_mode > 3) downlink_mode = 0;
406 cmdp +=2;
407 break;
408 default:
409 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
410 errors = true;
411 break;
412 }
413 }
414 if (errors) return usage_t55xx_read();
415
416 if (block > 7 && block != REGULAR_READ_MODE_BLOCK ) {
417 PrintAndLog("Block must be between 0 and 7");
418 return 0;
419 }
420
421 printT5xxHeader(page1);
422 return T55xxReadBlock(block, page1, usepwd, override, password, downlink_mode);
423 }
424
425 bool DecodeT55xxBlock(){
426
427 char buf[30] = {0x00};
428 char *cmdStr = buf;
429 int ans = 0;
430 bool ST = config.ST;
431 uint8_t bitRate[8] = {8,16,32,40,50,64,100,128};
432 DemodBufferLen = 0x00;
433
434 switch( config.modulation ){
435 case DEMOD_FSK:
436 snprintf(cmdStr, sizeof(buf),"%d %d", bitRate[config.bitrate], config.inverted );
437 ans = FSKrawDemod(cmdStr, false);
438 break;
439 case DEMOD_FSK1:
440 case DEMOD_FSK1a:
441 snprintf(cmdStr, sizeof(buf),"%d %d 8 5", bitRate[config.bitrate], config.inverted );
442 ans = FSKrawDemod(cmdStr, false);
443 break;
444 case DEMOD_FSK2:
445 case DEMOD_FSK2a:
446 snprintf(cmdStr, sizeof(buf),"%d %d 10 8", bitRate[config.bitrate], config.inverted );
447 ans = FSKrawDemod(cmdStr, false);
448 break;
449 case DEMOD_ASK:
450 snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );
451 ans = ASKDemod_ext(cmdStr, false, false, 1, &ST);
452 break;
453 case DEMOD_PSK1:
454 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
455 save_restoreGB(GRAPH_SAVE);
456 CmdLtrim("160");
457 snprintf(cmdStr, sizeof(buf),"%d %d 6", bitRate[config.bitrate], config.inverted );
458 ans = PSKDemod(cmdStr, false);
459 //undo trim samples
460 save_restoreGB(GRAPH_RESTORE);
461 break;
462 case DEMOD_PSK2: //inverted won't affect this
463 case DEMOD_PSK3: //not fully implemented
464 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
465 save_restoreGB(GRAPH_SAVE);
466 CmdLtrim("160");
467 snprintf(cmdStr, sizeof(buf),"%d 0 6", bitRate[config.bitrate] );
468 ans = PSKDemod(cmdStr, false);
469 psk1TOpsk2(DemodBuffer, DemodBufferLen);
470 //undo trim samples
471 save_restoreGB(GRAPH_RESTORE);
472 break;
473 case DEMOD_NRZ:
474 snprintf(cmdStr, sizeof(buf),"%d %d 1", bitRate[config.bitrate], config.inverted );
475 ans = NRZrawDemod(cmdStr, false);
476 break;
477 case DEMOD_BI:
478 case DEMOD_BIa:
479 snprintf(cmdStr, sizeof(buf),"0 %d %d 1", bitRate[config.bitrate], config.inverted );
480 ans = ASKbiphaseDemod(cmdStr, false);
481 break;
482 default:
483 return false;
484 }
485 return (bool) ans;
486 }
487
488 bool DecodeT5555TraceBlock() {
489 DemodBufferLen = 0x00;
490
491 // According to datasheet. Always: RF/64, not inverted, Manchester
492 return (bool) ASKDemod("64 0 1", false, false, 1);
493 }
494
495 int CmdT55xxDetect(const char *Cmd){
496 bool errors = false;
497 bool useGB = false;
498 bool usepwd = false;
499 uint32_t password = 0;
500 uint8_t cmdp = 0;
501 uint8_t downlink_mode = 0;
502
503 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
504 switch(param_getchar(Cmd, cmdp)) {
505 case 'h':
506 case 'H':
507 return usage_t55xx_detect();
508 case 'p':
509 case 'P':
510 password = param_get32ex(Cmd, cmdp+1, 0, 16);
511 usepwd = true;
512 cmdp += 2;
513 break;
514 case '1':
515 // use Graphbuffer data
516 useGB = true;
517 cmdp++;
518 break;
519 case 'e':
520 case 'E':
521 downlink_mode = param_getchar(Cmd, cmdp+1) - '0';
522 if (downlink_mode > 3) downlink_mode = 0;
523 cmdp +=2;
524 break;
525 default:
526 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
527 errors = true;
528 break;
529 }
530 }
531 if (errors) return usage_t55xx_detect();
532
533 if ( !useGB) {
534 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, usepwd, password,downlink_mode) )
535 return 0;
536 }
537
538 if ( !tryDetectModulation() )
539 PrintAndLog("Could not detect modulation automatically. Try setting it manually with \'lf t55xx config\'");
540 else {
541 // Add downlink mode to reference.
542 switch (downlink_mode) {
543 case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break;
544 case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break;
545 case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break;
546 case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break;
547 // default:
548
549 // No default action
550 }
551 }
552 return 1;
553 }
554
555 // detect configuration?
556 bool tryDetectModulation(){
557 uint8_t hits = 0;
558 t55xx_conf_block_t tests[15];
559 int bitRate=0;
560 uint8_t fc1 = 0, fc2 = 0, ans = 0;
561 int clk = 0, firstClockEdge = 0;
562 ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, false, &firstClockEdge);
563 if (ans && ((fc1==10 && fc2==8) || (fc1==8 && fc2==5))) {
564 if ( FSKrawDemod("0 0", false) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
565 tests[hits].modulation = DEMOD_FSK;
566 if (fc1==8 && fc2 == 5)
567 tests[hits].modulation = DEMOD_FSK1a;
568 else if (fc1==10 && fc2 == 8)
569 tests[hits].modulation = DEMOD_FSK2;
570 tests[hits].bitrate = bitRate;
571 tests[hits].inverted = false;
572 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
573 tests[hits].ST = false;
574 ++hits;
575 }
576 if ( FSKrawDemod("0 1", false) && test(DEMOD_FSK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
577 tests[hits].modulation = DEMOD_FSK;
578 if (fc1 == 8 && fc2 == 5)
579 tests[hits].modulation = DEMOD_FSK1;
580 else if (fc1 == 10 && fc2 == 8)
581 tests[hits].modulation = DEMOD_FSK2a;
582 tests[hits].bitrate = bitRate;
583 tests[hits].inverted = true;
584 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
585 tests[hits].ST = false;
586 ++hits;
587 }
588 } else {
589 clk = GetAskClock("", false, false);
590 if (clk>0) {
591 tests[hits].ST = true;
592 if ( ASKDemod_ext("0 0 1", false, false, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
593 tests[hits].modulation = DEMOD_ASK;
594 tests[hits].bitrate = bitRate;
595 tests[hits].inverted = false;
596 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
597 ++hits;
598 }
599 tests[hits].ST = true;
600 if ( ASKDemod_ext("0 1 1", false, false, 1, &tests[hits].ST) && test(DEMOD_ASK, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
601 tests[hits].modulation = DEMOD_ASK;
602 tests[hits].bitrate = bitRate;
603 tests[hits].inverted = true;
604 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
605 ++hits;
606 }
607 if ( ASKbiphaseDemod("0 0 0 2", false) && test(DEMOD_BI, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {
608 tests[hits].modulation = DEMOD_BI;
609 tests[hits].bitrate = bitRate;
610 tests[hits].inverted = false;
611 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
612 tests[hits].ST = false;
613 ++hits;
614 }
615 if ( ASKbiphaseDemod("0 0 1 2", false) && test(DEMOD_BIa, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5) ) {
616 tests[hits].modulation = DEMOD_BIa;
617 tests[hits].bitrate = bitRate;
618 tests[hits].inverted = true;
619 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
620 tests[hits].ST = false;
621 ++hits;
622 }
623 }
624 clk = GetNrzClock("", false, false);
625 if (clk>8) { //clock of rf/8 is likely a false positive, so don't use it.
626 if ( NRZrawDemod("0 0 1", false) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
627 tests[hits].modulation = DEMOD_NRZ;
628 tests[hits].bitrate = bitRate;
629 tests[hits].inverted = false;
630 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
631 tests[hits].ST = false;
632 ++hits;
633 }
634
635 if ( NRZrawDemod("0 1 1", false) && test(DEMOD_NRZ, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
636 tests[hits].modulation = DEMOD_NRZ;
637 tests[hits].bitrate = bitRate;
638 tests[hits].inverted = true;
639 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
640 tests[hits].ST = false;
641 ++hits;
642 }
643 }
644
645 clk = GetPskClock("", false, false);
646 if (clk>0) {
647 // allow undo
648 save_restoreGB(GRAPH_SAVE);
649 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
650 CmdLtrim("160");
651 if ( PSKDemod("0 0 6", false) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
652 tests[hits].modulation = DEMOD_PSK1;
653 tests[hits].bitrate = bitRate;
654 tests[hits].inverted = false;
655 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
656 tests[hits].ST = false;
657 ++hits;
658 }
659 if ( PSKDemod("0 1 6", false) && test(DEMOD_PSK1, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)) {
660 tests[hits].modulation = DEMOD_PSK1;
661 tests[hits].bitrate = bitRate;
662 tests[hits].inverted = true;
663 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
664 tests[hits].ST = false;
665 ++hits;
666 }
667 // PSK2 - needs a call to psk1TOpsk2.
668 if ( PSKDemod("0 0 6", false)) {
669 psk1TOpsk2(DemodBuffer, DemodBufferLen);
670 if (test(DEMOD_PSK2, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){
671 tests[hits].modulation = DEMOD_PSK2;
672 tests[hits].bitrate = bitRate;
673 tests[hits].inverted = false;
674 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
675 tests[hits].ST = false;
676 ++hits;
677 }
678 } // inverse waves does not affect this demod
679 // PSK3 - needs a call to psk1TOpsk2.
680 if ( PSKDemod("0 0 6", false)) {
681 psk1TOpsk2(DemodBuffer, DemodBufferLen);
682 if (test(DEMOD_PSK3, &tests[hits].offset, &bitRate, clk, &tests[hits].Q5)){
683 tests[hits].modulation = DEMOD_PSK3;
684 tests[hits].bitrate = bitRate;
685 tests[hits].inverted = false;
686 tests[hits].block0 = PackBits(tests[hits].offset, 32, DemodBuffer);
687 tests[hits].ST = false;
688 ++hits;
689 }
690 } // inverse waves does not affect this demod
691 //undo trim samples
692 save_restoreGB(GRAPH_RESTORE);
693 }
694 }
695 if ( hits == 1) {
696 config.modulation = tests[0].modulation;
697 config.bitrate = tests[0].bitrate;
698 config.inverted = tests[0].inverted;
699 config.offset = tests[0].offset;
700 config.block0 = tests[0].block0;
701 config.Q5 = tests[0].Q5;
702 config.ST = tests[0].ST;
703 printConfiguration( config );
704 return true;
705 }
706
707 if ( hits > 1) {
708 PrintAndLog("Found [%d] possible matches for modulation.",hits);
709 for(int i=0; i<hits; ++i){
710 PrintAndLog("--[%d]---------------", i+1);
711 printConfiguration( tests[i] );
712 }
713 }
714 return false;
715 }
716
717 bool testModulation(uint8_t mode, uint8_t modread){
718 switch( mode ){
719 case DEMOD_FSK:
720 if (modread >= DEMOD_FSK1 && modread <= DEMOD_FSK2a) return true;
721 break;
722 case DEMOD_ASK:
723 if (modread == DEMOD_ASK) return true;
724 break;
725 case DEMOD_PSK1:
726 if (modread == DEMOD_PSK1) return true;
727 break;
728 case DEMOD_PSK2:
729 if (modread == DEMOD_PSK2) return true;
730 break;
731 case DEMOD_PSK3:
732 if (modread == DEMOD_PSK3) return true;
733 break;
734 case DEMOD_NRZ:
735 if (modread == DEMOD_NRZ) return true;
736 break;
737 case DEMOD_BI:
738 if (modread == DEMOD_BI) return true;
739 break;
740 case DEMOD_BIa:
741 if (modread == DEMOD_BIa) return true;
742 break;
743 default:
744 return false;
745 }
746 return false;
747 }
748
749 bool testQ5Modulation(uint8_t mode, uint8_t modread){
750 switch( mode ){
751 case DEMOD_FSK:
752 if (modread >= 4 && modread <= 5) return true;
753 break;
754 case DEMOD_ASK:
755 if (modread == 0) return true;
756 break;
757 case DEMOD_PSK1:
758 if (modread == 1) return true;
759 break;
760 case DEMOD_PSK2:
761 if (modread == 2) return true;
762 break;
763 case DEMOD_PSK3:
764 if (modread == 3) return true;
765 break;
766 case DEMOD_NRZ:
767 if (modread == 7) return true;
768 break;
769 case DEMOD_BI:
770 if (modread == 6) return true;
771 break;
772 default:
773 return false;
774 }
775 return false;
776 }
777
778 int convertQ5bitRate(uint8_t bitRateRead) {
779 uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};
780 for (int i=0; i<8; i++)
781 if (expected[i] == bitRateRead)
782 return i;
783
784 return -1;
785 }
786
787 bool testQ5(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk){
788
789 if ( DemodBufferLen < 64 ) return false;
790 uint8_t si = 0;
791 for (uint8_t idx = 28; idx < 64; idx++){
792 si = idx;
793 if ( PackBits(si, 28, DemodBuffer) == 0x00 ) continue;
794
795 uint8_t safer = PackBits(si, 4, DemodBuffer); si += 4; //master key
796 uint8_t resv = PackBits(si, 8, DemodBuffer); si += 8;
797 // 2nibble must be zeroed.
798 if (safer != 0x6 && safer != 0x9) continue;
799 if ( resv > 0x00) continue;
800 //uint8_t pageSel = PackBits(si, 1, DemodBuffer); si += 1;
801 //uint8_t fastWrite = PackBits(si, 1, DemodBuffer); si += 1;
802 si += 1+1;
803 int bitRate = PackBits(si, 6, DemodBuffer)*2 + 2; si += 6; //bit rate
804 if (bitRate > 128 || bitRate < 8) continue;
805
806 //uint8_t AOR = PackBits(si, 1, DemodBuffer); si += 1;
807 //uint8_t PWD = PackBits(si, 1, DemodBuffer); si += 1;
808 //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2; //could check psk cr
809 //uint8_t inverse = PackBits(si, 1, DemodBuffer); si += 1;
810 si += 1+1+2+1;
811 uint8_t modread = PackBits(si, 3, DemodBuffer); si += 3;
812 uint8_t maxBlk = PackBits(si, 3, DemodBuffer); si += 3;
813 //uint8_t ST = PackBits(si, 1, DemodBuffer); si += 1;
814 if (maxBlk == 0) continue;
815 //test modulation
816 if (!testQ5Modulation(mode, modread)) continue;
817 if (bitRate != clk) continue;
818 *fndBitRate = convertQ5bitRate(bitRate);
819 if (*fndBitRate < 0) continue;
820 *offset = idx;
821
822 return true;
823 }
824 return false;
825 }
826
827 bool testBitRate(uint8_t readRate, uint8_t clk){
828 uint8_t expected[] = {8, 16, 32, 40, 50, 64, 100, 128};
829 if (expected[readRate] == clk)
830 return true;
831
832 return false;
833 }
834
835 bool test(uint8_t mode, uint8_t *offset, int *fndBitRate, uint8_t clk, bool *Q5){
836
837 if ( DemodBufferLen < 64 ) return false;
838 uint8_t si = 0;
839 for (uint8_t idx = 28; idx < 64; idx++){
840 si = idx;
841 if ( PackBits(si, 28, DemodBuffer) == 0x00 ) continue;
842
843 uint8_t safer = PackBits(si, 4, DemodBuffer); si += 4; //master key
844 uint8_t resv = PackBits(si, 4, DemodBuffer); si += 4; //was 7 & +=7+3 //should be only 4 bits if extended mode
845 // 2nibble must be zeroed.
846 // moved test to here, since this gets most faults first.
847 if ( resv > 0x00) continue;
848
849 int bitRate = PackBits(si, 6, DemodBuffer); si += 6; //bit rate (includes extended mode part of rate)
850 uint8_t extend = PackBits(si, 1, DemodBuffer); si += 1; //bit 15 extended mode
851 uint8_t modread = PackBits(si, 5, DemodBuffer); si += 5+2+1;
852 //uint8_t pskcr = PackBits(si, 2, DemodBuffer); si += 2+1; //could check psk cr
853 //uint8_t nml01 = PackBits(si, 1, DemodBuffer); si += 1+5; //bit 24, 30, 31 could be tested for 0 if not extended mode
854 //uint8_t nml02 = PackBits(si, 2, DemodBuffer); si += 2;
855
856 //if extended mode
857 bool extMode =( (safer == 0x6 || safer == 0x9) && extend) ? true : false;
858
859 if (!extMode) {
860 if (bitRate > 7) continue;
861 if (!testBitRate(bitRate, clk)) continue;
862 } else { //extended mode bitrate = same function to calc bitrate as em4x05
863 if (EM4x05_GET_BITRATE(bitRate) != clk) continue;
864
865 }
866 //test modulation
867 if (!testModulation(mode, modread)) continue;
868 *fndBitRate = bitRate;
869 *offset = idx;
870 *Q5 = false;
871 return true;
872 }
873 if (testQ5(mode, offset, fndBitRate, clk)) {
874 *Q5 = true;
875 return true;
876 }
877 return false;
878 }
879
880 void printT55xxBlock(const char *blockNum){
881
882 uint8_t i = config.offset;
883 uint8_t endpos = 32 + i;
884 uint32_t blockData = 0;
885 uint8_t bits[64] = {0x00};
886
887 if ( !DemodBufferLen) return;
888
889 if ( endpos > DemodBufferLen){
890 PrintAndLog("The configured offset %d is too big. Possible offset: %d)", i, DemodBufferLen-32);
891 return;
892 }
893
894 for (; i < endpos; ++i)
895 bits[i - config.offset]=DemodBuffer[i];
896
897 blockData = PackBits(0, 32, bits);
898
899 PrintAndLog(" %s | %08X | %s", blockNum, blockData, sprint_bin(bits,32));
900 }
901
902 int special(const char *Cmd) {
903 uint32_t blockData = 0;
904 uint8_t bits[32] = {0x00};
905
906 PrintAndLog("OFFSET | DATA | BINARY");
907 PrintAndLog("----------------------------------------------------");
908 int i,j = 0;
909 for (; j < 64; ++j){
910
911 for (i = 0; i < 32; ++i)
912 bits[i]=DemodBuffer[j+i];
913
914 blockData = PackBits(0, 32, bits);
915
916 PrintAndLog(" %02d | 0x%08X | %s",j , blockData, sprint_bin(bits,32));
917 }
918 return 0;
919 }
920
921 int printConfiguration( t55xx_conf_block_t b){
922 PrintAndLog("Chip Type : %s", (b.Q5) ? "T5555(Q5)" : "T55x7");
923 PrintAndLog("Modulation : %s", GetSelectedModulationStr(b.modulation) );
924 PrintAndLog("Bit Rate : %s", GetBitRateStr(b.bitrate, (b.block0 & T55x7_X_MODE && (b.block0>>28==6 || b.block0>>28==9))) );
925 PrintAndLog("Inverted : %s", (b.inverted) ? "Yes" : "No" );
926 PrintAndLog("Offset : %d", b.offset);
927 PrintAndLog("Seq. Term. : %s", (b.ST) ? "Yes" : "No" );
928 PrintAndLog("Block0 : 0x%08X", b.block0);
929 PrintAndLog("");
930 return 0;
931 }
932
933 int CmdT55xxWakeUp(const char *Cmd) {
934 uint32_t password = 0;
935 if ( strlen(Cmd) <= 0 ) return usage_t55xx_wakup();
936 char cmdp = param_getchar(Cmd, 0);
937 if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wakup();
938
939 password = param_get32ex(Cmd, 0, 0, 16);
940
941 UsbCommand c = {CMD_T55XX_WAKEUP, {password, 0, 0}};
942 clearCommandBuffer();
943 SendCommand(&c);
944 PrintAndLog("Wake up command sent. Try read now");
945 return 0;
946 }
947
948 int CmdT55xxWriteBlock(const char *Cmd) {
949 uint8_t block = 0xFF; //default to invalid block
950 uint32_t data = 0; //default to blank Block
951 uint32_t password = 0; //default to blank Block 7
952 uint32_t downlink_mode = 0;
953
954 bool usepwd = false;
955 bool page1 = false;
956 bool gotdata = false;
957 bool testMode = false;
958 bool errors = false;
959 uint8_t cmdp = 0;
960 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
961 switch(param_getchar(Cmd, cmdp)) {
962 case 'h':
963 case 'H':
964 return usage_t55xx_write();
965 case 'b':
966 case 'B':
967 errors |= param_getdec(Cmd, cmdp+1, &block);
968 cmdp += 2;
969 break;
970 case 'd':
971 case 'D':
972 data = param_get32ex(Cmd, cmdp+1, 0, 16);
973 gotdata = true;
974 cmdp += 2;
975 break;
976 case 'p':
977 case 'P':
978 password = param_get32ex(Cmd, cmdp+1, 0, 16);
979 usepwd = true;
980 cmdp += 2;
981 break;
982 case 't':
983 case 'T':
984 testMode = true;
985 cmdp++;
986 break;
987 case '1':
988 page1 = true;
989 cmdp++;
990 break;
991 case 'e':
992 case 'E':
993 downlink_mode = param_getchar(Cmd, cmdp+1) - '0';
994 if (downlink_mode > 3) downlink_mode = 0;
995 cmdp +=2;
996 break;
997 default:
998 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
999 errors = true;
1000 break;
1001 }
1002 }
1003 if (errors || !gotdata) return usage_t55xx_write();
1004
1005 if (block > 7) {
1006 PrintAndLog("Block number must be between 0 and 7");
1007 return 0;
1008 }
1009
1010 UsbCommand c = {CMD_T55XX_WRITE_BLOCK, {data, block, 0}};
1011 UsbCommand resp;
1012 c.d.asBytes[0] = (page1) ? 0x2 : 0;
1013 c.d.asBytes[0] |= (testMode) ? 0x4 : 0;
1014 c.d.asBytes[0] |= (downlink_mode << 3);
1015
1016 char pwdStr[16] = {0};
1017 snprintf(pwdStr, sizeof(pwdStr), "pwd: 0x%08X", password);
1018
1019 PrintAndLog("Writing page %d block: %02d data: 0x%08X %s", page1, block, data, (usepwd) ? pwdStr : "" );
1020
1021 //Password mode
1022 if (usepwd) {
1023 c.arg[2] = password;
1024 c.d.asBytes[0] |= 0x1;
1025 }
1026
1027 clearCommandBuffer();
1028 SendCommand(&c);
1029 if (!WaitForResponseTimeout(CMD_ACK, &resp, 1000)){
1030 PrintAndLog("Error occurred, device did not ACK write operation. (May be due to old firmware)");
1031 return 0;
1032 }
1033 return 1;
1034 }
1035
1036 int CmdT55xxReadTrace(const char *Cmd) {
1037 char cmdp = param_getchar(Cmd, 0);
1038 bool pwdmode = false;
1039 uint32_t password = 0;
1040 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H')
1041 return usage_t55xx_trace();
1042
1043 if (strlen(Cmd)==0)
1044 if ( !AquireData( T55x7_PAGE1, REGULAR_READ_MODE_BLOCK, pwdmode, password,0 ) )
1045 return 0;
1046
1047 if ( config.Q5 ) {
1048 if (!DecodeT5555TraceBlock()) return 0;
1049 } else {
1050 if (!DecodeT55xxBlock()) return 0;
1051 }
1052
1053 if ( !DemodBufferLen ) return 0;
1054
1055 RepaintGraphWindow();
1056 uint8_t repeat = (config.offset > 5) ? 32 : 0;
1057
1058 uint8_t si = config.offset+repeat;
1059 uint32_t bl1 = PackBits(si, 32, DemodBuffer);
1060 uint32_t bl2 = PackBits(si+32, 32, DemodBuffer);
1061
1062 if (config.Q5) {
1063 uint32_t hdr = PackBits(si, 9, DemodBuffer); si += 9;
1064
1065 if (hdr != 0x1FF) {
1066 PrintAndLog("Invalid Q5 Trace data header (expected 0x1FF, found %X)", hdr);
1067 return 0;
1068 }
1069
1070 t5555_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .icr = 0, .lotidc = '?', .lotid = 0, .wafer = 0, .dw =0};
1071
1072 data.icr = PackBits(si, 2, DemodBuffer); si += 2;
1073 data.lotidc = 'Z' - PackBits(si, 2, DemodBuffer); si += 3;
1074
1075 data.lotid = PackBits(si, 4, DemodBuffer); si += 5;
1076 data.lotid <<= 4;
1077 data.lotid |= PackBits(si, 4, DemodBuffer); si += 5;
1078 data.lotid <<= 4;
1079 data.lotid |= PackBits(si, 4, DemodBuffer); si += 5;
1080 data.lotid <<= 4;
1081 data.lotid |= PackBits(si, 4, DemodBuffer); si += 5;
1082 data.lotid <<= 1;
1083 data.lotid |= PackBits(si, 1, DemodBuffer); si += 1;
1084
1085 data.wafer = PackBits(si, 3, DemodBuffer); si += 4;
1086 data.wafer <<= 2;
1087 data.wafer |= PackBits(si, 2, DemodBuffer); si += 2;
1088
1089 data.dw = PackBits(si, 2, DemodBuffer); si += 3;
1090 data.dw <<= 4;
1091 data.dw |= PackBits(si, 4, DemodBuffer); si += 5;
1092 data.dw <<= 4;
1093 data.dw |= PackBits(si, 4, DemodBuffer); si += 5;
1094 data.dw <<= 4;
1095 data.dw |= PackBits(si, 4, DemodBuffer); si += 5;
1096
1097 printT5555Trace(data, repeat);
1098
1099 } else {
1100
1101 t55x7_tracedata_t data = {.bl1 = bl1, .bl2 = bl2, .acl = 0, .mfc = 0, .cid = 0, .year = 0, .quarter = 0, .icr = 0, .lotid = 0, .wafer = 0, .dw = 0};
1102
1103 data.acl = PackBits(si, 8, DemodBuffer); si += 8;
1104 if ( data.acl != 0xE0 ) {
1105 PrintAndLog("The modulation is most likely wrong since the ACL is not 0xE0. ");
1106 return 0;
1107 }
1108
1109 data.mfc = PackBits(si, 8, DemodBuffer); si += 8;
1110 data.cid = PackBits(si, 5, DemodBuffer); si += 5;
1111 data.icr = PackBits(si, 3, DemodBuffer); si += 3;
1112 data.year = PackBits(si, 4, DemodBuffer); si += 4;
1113 data.quarter = PackBits(si, 2, DemodBuffer); si += 2;
1114 data.lotid = PackBits(si, 14, DemodBuffer); si += 14;
1115 data.wafer = PackBits(si, 5, DemodBuffer); si += 5;
1116 data.dw = PackBits(si, 15, DemodBuffer);
1117
1118 time_t t = time(NULL);
1119 struct tm tm = *localtime(&t);
1120 if ( data.year > tm.tm_year-110)
1121 data.year += 2000;
1122 else
1123 data.year += 2010;
1124
1125 printT55x7Trace(data, repeat);
1126 }
1127 return 0;
1128 }
1129
1130 void printT55x7Trace( t55x7_tracedata_t data, uint8_t repeat ){
1131 PrintAndLog("-- T55x7 Trace Information ----------------------------------");
1132 PrintAndLog("-------------------------------------------------------------");
1133 PrintAndLog(" ACL Allocation class (ISO/IEC 15963-1) : 0x%02X (%d)", data.acl, data.acl);
1134 PrintAndLog(" MFC Manufacturer ID (ISO/IEC 7816-6) : 0x%02X (%d) - %s", data.mfc, data.mfc, getManufacturerName(data.mfc));
1135 PrintAndLog(" CID : 0x%02X (%d) - %s", data.cid, data.cid, GetModelStrFromCID(data.cid));
1136 PrintAndLog(" ICR IC Revision : %d", data.icr );
1137 PrintAndLog(" Manufactured");
1138 PrintAndLog(" Year/Quarter : %d/%d", data.year, data.quarter);
1139 PrintAndLog(" Lot ID : %d", data.lotid );
1140 PrintAndLog(" Wafer number : %d", data.wafer);
1141 PrintAndLog(" Die Number : %d", data.dw);
1142 PrintAndLog("-------------------------------------------------------------");
1143 PrintAndLog(" Raw Data - Page 1");
1144 PrintAndLog(" Block 1 : 0x%08X %s", data.bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );
1145 PrintAndLog(" Block 2 : 0x%08X %s", data.bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );
1146 PrintAndLog("-------------------------------------------------------------");
1147
1148 /*
1149 TRACE - BLOCK O
1150 Bits Definition HEX
1151 1-8 ACL Allocation class (ISO/IEC 15963-1) 0xE0
1152 9-16 MFC Manufacturer ID (ISO/IEC 7816-6) 0x15 Atmel Corporation
1153 17-21 CID 0x1 = Atmel ATA5577M1 0x2 = Atmel ATA5577M2
1154 22-24 ICR IC revision
1155 25-28 YEAR (BCD encoded) 9 (= 2009)
1156 29-30 QUARTER 1,2,3,4
1157 31-32 LOT ID
1158
1159 TRACE - BLOCK 1
1160 1-12 LOT ID
1161 13-17 Wafer number
1162 18-32 DW, die number sequential
1163 */
1164 }
1165
1166 void printT5555Trace( t5555_tracedata_t data, uint8_t repeat ){
1167 PrintAndLog("-- T5555 (Q5) Trace Information -----------------------------");
1168 PrintAndLog("-------------------------------------------------------------");
1169 PrintAndLog(" ICR IC Revision : %d", data.icr );
1170 PrintAndLog(" Lot : %c%d", data.lotidc, data.lotid);
1171 PrintAndLog(" Wafer number : %d", data.wafer);
1172 PrintAndLog(" Die Number : %d", data.dw);
1173 PrintAndLog("-------------------------------------------------------------");
1174 PrintAndLog(" Raw Data - Page 1");
1175 PrintAndLog(" Block 1 : 0x%08X %s", data.bl1, sprint_bin(DemodBuffer+config.offset+repeat,32) );
1176 PrintAndLog(" Block 2 : 0x%08X %s", data.bl2, sprint_bin(DemodBuffer+config.offset+repeat+32,32) );
1177
1178 /*
1179 ** Q5 **
1180 TRACE - BLOCK O and BLOCK1
1181 Bits Definition HEX
1182 1-9 Header 0x1FF
1183 10-11 IC Revision
1184 12-13 Lot ID char
1185 15-35 Lot ID (NB parity)
1186 36-41 Wafer number (NB parity)
1187 42-58 DW, die number sequential (NB parity)
1188 60-63 Parity bits
1189 64 Always zero
1190 */
1191 }
1192
1193 //need to add Q5 info...
1194 int CmdT55xxInfo(const char *Cmd){
1195 /*
1196 Page 0 Block 0 Configuration data.
1197 Normal mode
1198 Extended mode
1199 */
1200 bool pwdmode = false;
1201 uint32_t password = 0;
1202 char cmdp = param_getchar(Cmd, 0);
1203
1204 if (strlen(Cmd) > 1 || cmdp == 'h' || cmdp == 'H')
1205 return usage_t55xx_info();
1206
1207 if (strlen(Cmd)==0)
1208 if ( !AquireData( T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, pwdmode, password,0 ) )
1209 return 1;
1210
1211 if (!DecodeT55xxBlock()) return 1;
1212
1213 // too little space to start with
1214 if ( DemodBufferLen < 32) return 1;
1215
1216 uint8_t si = config.offset;
1217 uint32_t bl0 = PackBits(si, 32, DemodBuffer);
1218
1219 uint32_t safer = PackBits(si, 4, DemodBuffer); si += 4;
1220 uint32_t resv = PackBits(si, 7, DemodBuffer); si += 7;
1221 uint32_t dbr = PackBits(si, 3, DemodBuffer); si += 3;
1222 uint32_t extend = PackBits(si, 1, DemodBuffer); si += 1;
1223 uint32_t datamod = PackBits(si, 5, DemodBuffer); si += 5;
1224 uint32_t pskcf = PackBits(si, 2, DemodBuffer); si += 2;
1225 uint32_t aor = PackBits(si, 1, DemodBuffer); si += 1;
1226 uint32_t otp = PackBits(si, 1, DemodBuffer); si += 1;
1227 uint32_t maxblk = PackBits(si, 3, DemodBuffer); si += 3;
1228 uint32_t pwd = PackBits(si, 1, DemodBuffer); si += 1;
1229 uint32_t sst = PackBits(si, 1, DemodBuffer); si += 1;
1230 uint32_t fw = PackBits(si, 1, DemodBuffer); si += 1;
1231 uint32_t inv = PackBits(si, 1, DemodBuffer); si += 1;
1232 uint32_t por = PackBits(si, 1, DemodBuffer); si += 1;
1233
1234 if (config.Q5) PrintAndLog("*** Warning *** Config Info read off a Q5 will not display as expected");
1235 PrintAndLog("");
1236 PrintAndLog("-- T55x7 Configuration & Tag Information --------------------");
1237 PrintAndLog("-------------------------------------------------------------");
1238 PrintAndLog(" Safer key : %s", GetSaferStr(safer));
1239 PrintAndLog(" reserved : %d", resv);
1240 PrintAndLog(" Data bit rate : %s", GetBitRateStr(dbr, extend));
1241 PrintAndLog(" eXtended mode : %s", (extend) ? "Yes - Warning":"No");
1242 PrintAndLog(" Modulation : %s", GetModulationStr(datamod));
1243 PrintAndLog(" PSK clock frequency : %d", pskcf);
1244 PrintAndLog(" AOR - Answer on Request : %s", (aor) ? "Yes":"No");
1245 PrintAndLog(" OTP - One Time Pad : %s", (otp) ? "Yes - Warning":"No" );
1246 PrintAndLog(" Max block : %d", maxblk);
1247 PrintAndLog(" Password mode : %s", (pwd) ? "Yes":"No");
1248 PrintAndLog(" Sequence Start Terminator : %s", (sst) ? "Yes":"No");
1249 PrintAndLog(" Fast Write : %s", (fw) ? "Yes":"No");
1250 PrintAndLog(" Inverse data : %s", (inv) ? "Yes":"No");
1251 PrintAndLog(" POR-Delay : %s", (por) ? "Yes":"No");
1252 PrintAndLog("-------------------------------------------------------------");
1253 PrintAndLog(" Raw Data - Page 0");
1254 PrintAndLog(" Block 0 : 0x%08X %s", bl0, sprint_bin(DemodBuffer+config.offset,32) );
1255 PrintAndLog("-------------------------------------------------------------");
1256
1257 return 0;
1258 }
1259
1260 int CmdT55xxDump(const char *Cmd){
1261
1262 uint32_t password = 0;
1263 char cmdp = param_getchar(Cmd, 0);
1264 bool override = false;
1265 if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_dump();
1266
1267 bool usepwd = ( strlen(Cmd) > 0);
1268 if ( usepwd ){
1269 password = param_get32ex(Cmd, 0, 0, 16);
1270 if (param_getchar(Cmd, 1) =='o' )
1271 override = true;
1272 }
1273
1274 printT5xxHeader(0);
1275 for ( uint8_t i = 0; i <8; ++i)
1276 T55xxReadBlock(i, 0, usepwd, override, password,0);
1277
1278 printT5xxHeader(1);
1279 for ( uint8_t i = 0; i<4; i++)
1280 T55xxReadBlock(i, 1, usepwd, override, password,0);
1281
1282 return 1;
1283 }
1284
1285 int AquireData( uint8_t page, uint8_t block, bool pwdmode, uint32_t password, uint8_t downlink_mode ){
1286 // arg0 bitmodes:
1287 // bit0 = pwdmode
1288 // bit1 = page to read from
1289 uint8_t arg0 = (page<<1) | pwdmode;
1290 arg0 |= (downlink_mode << 3);
1291 UsbCommand c = {CMD_T55XX_READ_BLOCK, {arg0, block, password}};
1292
1293 clearCommandBuffer();
1294 SendCommand(&c);
1295 if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
1296 PrintAndLog("command execution time out");
1297 return 0;
1298 }
1299 getSamples(12000,true);
1300 return 1;
1301 }
1302
1303 char * GetBitRateStr(uint32_t id, bool xmode) {
1304 static char buf[25];
1305
1306 char *retStr = buf;
1307 if (xmode) { //xmode bitrate calc is same as em4x05 calc
1308 snprintf(retStr,sizeof(buf),"%d - RF/%d", id, EM4x05_GET_BITRATE(id));
1309 } else {
1310 switch (id) {
1311 case 0: snprintf(retStr,sizeof(buf),"%d - RF/8",id); break;
1312 case 1: snprintf(retStr,sizeof(buf),"%d - RF/16",id); break;
1313 case 2: snprintf(retStr,sizeof(buf),"%d - RF/32",id); break;
1314 case 3: snprintf(retStr,sizeof(buf),"%d - RF/40",id); break;
1315 case 4: snprintf(retStr,sizeof(buf),"%d - RF/50",id); break;
1316 case 5: snprintf(retStr,sizeof(buf),"%d - RF/64",id); break;
1317 case 6: snprintf(retStr,sizeof(buf),"%d - RF/100",id); break;
1318 case 7: snprintf(retStr,sizeof(buf),"%d - RF/128",id); break;
1319 default: snprintf(retStr,sizeof(buf),"%d - (Unknown)",id); break;
1320 }
1321 }
1322 return buf;
1323 }
1324
1325 char * GetSaferStr(uint32_t id) {
1326 static char buf[40];
1327 char *retStr = buf;
1328
1329 snprintf(retStr,sizeof(buf),"%d",id);
1330 if (id == 6) {
1331 snprintf(retStr,sizeof(buf),"%d - passwd",id);
1332 }
1333 if (id == 9 ){
1334 snprintf(retStr,sizeof(buf),"%d - testmode",id);
1335 }
1336
1337 return buf;
1338 }
1339
1340 char * GetModulationStr( uint32_t id){
1341 static char buf[60];
1342 char *retStr = buf;
1343
1344 switch (id){
1345 case 0: snprintf(retStr,sizeof(buf),"%d - DIRECT (ASK/NRZ)",id); break;
1346 case 1: snprintf(retStr,sizeof(buf),"%d - PSK 1 phase change when input changes",id); break;
1347 case 2: snprintf(retStr,sizeof(buf),"%d - PSK 2 phase change on bitclk if input high",id); break;
1348 case 3: snprintf(retStr,sizeof(buf),"%d - PSK 3 phase change on rising edge of input",id); break;
1349 case 4: snprintf(retStr,sizeof(buf),"%d - FSK 1 RF/8 RF/5",id); break;
1350 case 5: snprintf(retStr,sizeof(buf),"%d - FSK 2 RF/8 RF/10",id); break;
1351 case 6: snprintf(retStr,sizeof(buf),"%d - FSK 1a RF/5 RF/8",id); break;
1352 case 7: snprintf(retStr,sizeof(buf),"%d - FSK 2a RF/10 RF/8",id); break;
1353 case 8: snprintf(retStr,sizeof(buf),"%d - Manchester",id); break;
1354 case 16: snprintf(retStr,sizeof(buf),"%d - Biphase",id); break;
1355 case 0x18: snprintf(retStr,sizeof(buf),"%d - Biphase a - AKA Conditional Dephase Encoding(CDP)",id); break;
1356 case 17: snprintf(retStr,sizeof(buf),"%d - Reserved",id); break;
1357 default: snprintf(retStr,sizeof(buf),"0x%02X (Unknown)",id); break;
1358 }
1359 return buf;
1360 }
1361
1362 char * GetModelStrFromCID(uint32_t cid){
1363
1364 static char buf[10];
1365 char *retStr = buf;
1366
1367 if (cid == 1) snprintf(retStr, sizeof(buf),"ATA5577M1");
1368 if (cid == 2) snprintf(retStr, sizeof(buf),"ATA5577M2");
1369 return buf;
1370 }
1371
1372 char * GetSelectedModulationStr( uint8_t id){
1373
1374 static char buf[20];
1375 char *retStr = buf;
1376
1377 switch (id) {
1378 case DEMOD_FSK: snprintf(retStr,sizeof(buf),"FSK"); break;
1379 case DEMOD_FSK1: snprintf(retStr,sizeof(buf),"FSK1"); break;
1380 case DEMOD_FSK1a: snprintf(retStr,sizeof(buf),"FSK1a"); break;
1381 case DEMOD_FSK2: snprintf(retStr,sizeof(buf),"FSK2"); break;
1382 case DEMOD_FSK2a: snprintf(retStr,sizeof(buf),"FSK2a"); break;
1383 case DEMOD_ASK: snprintf(retStr,sizeof(buf),"ASK"); break;
1384 case DEMOD_NRZ: snprintf(retStr,sizeof(buf),"DIRECT/NRZ"); break;
1385 case DEMOD_PSK1: snprintf(retStr,sizeof(buf),"PSK1"); break;
1386 case DEMOD_PSK2: snprintf(retStr,sizeof(buf),"PSK2"); break;
1387 case DEMOD_PSK3: snprintf(retStr,sizeof(buf),"PSK3"); break;
1388 case DEMOD_BI: snprintf(retStr,sizeof(buf),"BIPHASE"); break;
1389 case DEMOD_BIa: snprintf(retStr,sizeof(buf),"BIPHASEa - (CDP)"); break;
1390 default: snprintf(retStr,sizeof(buf),"(Unknown)"); break;
1391 }
1392 return buf;
1393 }
1394
1395 uint32_t PackBits(uint8_t start, uint8_t len, uint8_t* bits){
1396
1397 int i = start;
1398 int j = len-1;
1399
1400 if (len > 32) return 0;
1401
1402 uint32_t tmp = 0;
1403 for (; j >= 0; --j, ++i)
1404 tmp |= bits[i] << j;
1405
1406 return tmp;
1407 }
1408
1409 int CmdResetRead(const char *Cmd) {
1410 UsbCommand c = {CMD_T55XX_RESET_READ, {0,0,0}};
1411
1412 clearCommandBuffer();
1413 SendCommand(&c);
1414 if ( !WaitForResponseTimeout(CMD_ACK,NULL,2500) ) {
1415 PrintAndLog("command execution time out");
1416 return 0;
1417 }
1418
1419 uint8_t got[BIGBUF_SIZE-1];
1420 GetFromBigBuf(got, sizeof(got), 0, NULL, -1 , 0);
1421 setGraphBuf(got, sizeof(got));
1422 return 1;
1423 }
1424
1425 int CmdT55xxWipe(const char *Cmd) {
1426 char writeData[20] = {0};
1427 char *ptrData = writeData;
1428
1429 char cmdp = param_getchar(Cmd, 0);
1430 if ( cmdp == 'h' || cmdp == 'H') return usage_t55xx_wipe();
1431
1432 bool Q5 = (cmdp == 'q' || cmdp == 'Q');
1433
1434 // Try with the default password to reset block 0
1435 // With a pwd should work even if pwd bit not set
1436 PrintAndLog("\nBeginning Wipe of a T55xx tag (assuming the tag is not password protected)\n");
1437
1438 if ( Q5 ){
1439 snprintf(ptrData,sizeof(writeData),"b 0 d 6001F004 p 0");
1440 } else {
1441 snprintf(ptrData,sizeof(writeData),"b 0 d 00088040 p 0");
1442 }
1443
1444 if (!CmdT55xxWriteBlock(ptrData)) PrintAndLog("Error writing blk 0");
1445
1446 for (uint8_t blk = 1; blk<8; blk++) {
1447 snprintf(ptrData,sizeof(writeData),"b %d d 0", blk);
1448 if (!CmdT55xxWriteBlock(ptrData))
1449 PrintAndLog("Error writing blk %d", blk);
1450
1451 memset(writeData, 0x00, sizeof(writeData));
1452 }
1453 return 0;
1454 }
1455
1456 int CmdT55xxBruteForce(const char *Cmd) {
1457
1458 // load a default pwd file.
1459 char buf[9];
1460 char filename[FILE_PATH_SIZE]={0};
1461 int keycnt = 0;
1462 uint8_t downlink_mode = 0;
1463 int ch;
1464 uint8_t stKeyBlock = 20;
1465 uint8_t *keyBlock = NULL, *p = NULL;
1466 uint32_t start_password = 0x00000000; //start password
1467 uint32_t end_password = 0xFFFFFFFF; //end password
1468 bool found = false;
1469
1470 char cmdp = param_getchar(Cmd, 0);
1471 if (cmdp == 'h' || cmdp == 'H') return usage_t55xx_bruteforce();
1472
1473 keyBlock = calloc(stKeyBlock, 6);
1474 if (keyBlock == NULL) return 1;
1475
1476 if (cmdp == 'i' || cmdp == 'I') {
1477
1478 int len = strlen(Cmd+2);
1479 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
1480 memcpy(filename, Cmd+2, len);
1481
1482 FILE * f = fopen( filename , "r");
1483
1484 if ( !f ) {
1485 PrintAndLog("File: %s: not found or locked.", filename);
1486 free(keyBlock);
1487 return 1;
1488 }
1489
1490 while( fgets(buf, sizeof(buf), f) ) {
1491 if (strlen(buf) < 8 || buf[7] == '\n') continue;
1492
1493 while (fgetc(f) != '\n' && !feof(f)) ; //goto next line
1494
1495 //The line start with # is comment, skip
1496 if( buf[0]=='#' ) continue;
1497
1498 if (!isxdigit((unsigned char)buf[0])) {
1499 PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);
1500 continue;
1501 }
1502
1503 buf[8] = 0;
1504
1505 if ( stKeyBlock - keycnt < 2) {
1506 p = realloc(keyBlock, 6*(stKeyBlock+=10));
1507 if (!p) {
1508 PrintAndLog("Cannot allocate memory for defaultKeys");
1509 free(keyBlock);
1510 fclose(f);
1511 return 2;
1512 }
1513 keyBlock = p;
1514 }
1515 memset(keyBlock + 4 * keycnt, 0, 4);
1516 num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);
1517 PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));
1518 keycnt++;
1519 memset(buf, 0, sizeof(buf));
1520 }
1521 fclose(f);
1522
1523 if (keycnt == 0) {
1524 PrintAndLog("No keys found in file");
1525 free(keyBlock);
1526 return 1;
1527 }
1528 PrintAndLog("Loaded %d keys", keycnt);
1529
1530 // loop
1531 uint64_t testpwd = 0x00;
1532 for (uint16_t c = 0; c < keycnt; ++c ) {
1533
1534 if (ukbhit()) {
1535 ch = getchar();
1536 (void)ch;
1537 printf("\naborted via keyboard!\n");
1538 free(keyBlock);
1539 return 0;
1540 }
1541
1542 testpwd = bytes_to_num(keyBlock + 4*c, 4);
1543
1544 PrintAndLog("Testing %08X", testpwd);
1545
1546 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd,downlink_mode)) {
1547 PrintAndLog("Aquireing data from device failed. Quitting");
1548 free(keyBlock);
1549 return 0;
1550 }
1551
1552 found = tryDetectModulation();
1553
1554 if ( found ) {
1555 PrintAndLog("Found valid password: [%08X]", testpwd);
1556 free(keyBlock);
1557 return 0;
1558 }
1559 }
1560 PrintAndLog("Password NOT found.");
1561 free(keyBlock);
1562 return 0;
1563 }
1564
1565 // Try to read Block 7, first :)
1566
1567 // incremental pwd range search
1568 start_password = param_get32ex(Cmd, 0, 0, 16);
1569 end_password = param_get32ex(Cmd, 1, 0, 16);
1570
1571 if ( start_password >= end_password ) {
1572 free(keyBlock);
1573 return usage_t55xx_bruteforce();
1574 }
1575 PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);
1576
1577 uint32_t i = start_password;
1578
1579 while ((!found) && (i <= end_password)) {
1580
1581 printf(".");
1582 fflush(stdout);
1583 if (ukbhit()) {
1584 ch = getchar();
1585 (void)ch;
1586 printf("\naborted via keyboard!\n");
1587 free(keyBlock);
1588 return 0;
1589 }
1590
1591 if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,downlink_mode)) {
1592 PrintAndLog("Aquireing data from device failed. Quitting");
1593 free(keyBlock);
1594 return 0;
1595 }
1596 found = tryDetectModulation();
1597
1598 if (found) break;
1599 i++;
1600 }
1601
1602 PrintAndLog("");
1603
1604 if (found)
1605 PrintAndLog("Found valid password: [%08x]", i);
1606 else
1607 PrintAndLog("Password NOT found. Last tried: [%08x]", --i);
1608
1609 free(keyBlock);
1610 return 0;
1611 }
1612
1613 int CmdT55xxBruteForce_downlink(const char *Cmd) {
1614
1615 // load a default pwd file.
1616 char buf[9];
1617 char filename[FILE_PATH_SIZE]={0};
1618 int keycnt = 0;
1619 uint8_t downlink_mode = 0;
1620 int ch;
1621 uint8_t stKeyBlock = 20;
1622 uint8_t *keyBlock = NULL, *p = NULL;
1623 uint32_t start_password = 0x00000000; //start password
1624 uint32_t end_password = 0xFFFFFFFF; //end password
1625 bool found = false;
1626 uint8_t cmdp = 0;
1627 int cmd_offset = 0;
1628 int errors = 0;
1629 int len;
1630 bool use_file = false;
1631 bool use_range = false;
1632 bool try_all_dl_modes = false;
1633 uint8_t dl_mode = 0;
1634
1635 keyBlock = calloc(stKeyBlock, 6);
1636 if (keyBlock == NULL) return 1;
1637
1638 PrintAndLog("New Downlink Supprt");
1639
1640 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
1641 switch(param_getchar(Cmd, cmdp)) {
1642 case 'h':
1643 case 'H':
1644 return usage_t55xx_bruteforce_downlink();
1645 case 'e':
1646 case 'E':
1647 downlink_mode = param_getchar(Cmd, cmdp+1) - '0';
1648 if (downlink_mode == 4) try_all_dl_modes = true;
1649 if (downlink_mode > 3) downlink_mode = 0;
1650 cmdp +=2;
1651 cmd_offset += 4;
1652 PrintAndLog ("DL Mode : %d",downlink_mode);
1653 break;
1654 case 'i':
1655 case 'I':
1656 if (use_range) {
1657 PrintAndLog ("use Range or File");
1658 return 0;
1659 }
1660 use_file = true;
1661 len = strlen(Cmd+2);
1662 if (len > FILE_PATH_SIZE) len = FILE_PATH_SIZE;
1663 memcpy(filename, Cmd+cmd_offset+2, len);
1664 cmdp += 2;
1665 // PrintAndLog (" File : [%s]",filename);
1666 break;
1667 case 'r':
1668 case 'R':
1669 if (use_file) {
1670 PrintAndLog ("use Range or File");
1671 return 0;
1672 }
1673 use_range = true; // = param_get32ex(Cmd, cmdp+1, 0, 16);
1674 start_password = param_get32ex(Cmd, cmdp+1, 0, 16);
1675 end_password = param_get32ex(Cmd, cmdp+2, 0, 16);
1676 cmdp += 3;
1677 cmd_offset += 20; // 8 + 8 + 1 + 1 + 1
1678 // PrintAndLog (" Range : [%0X] - [%0X]",start_password,end_password);
1679 break;
1680 default:
1681 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1682 errors = true;
1683 break;
1684 }
1685 }
1686
1687
1688 // if (cmdp == 'i' || cmdp == 'I') {
1689
1690 if (use_file)
1691 {
1692 FILE * f = fopen( filename , "r");
1693
1694 if ( !f ) {
1695 PrintAndLog("File: %s: not found or locked.", filename);
1696 free(keyBlock);
1697 return 1;
1698 }
1699
1700 while( fgets(buf, sizeof(buf), f) ) {
1701 if (strlen(buf) < 8 || buf[7] == '\n') continue;
1702
1703 while (fgetc(f) != '\n' && !feof(f)) ; //goto next line
1704
1705 //The line start with # is comment, skip
1706 if( buf[0]=='#' ) continue;
1707
1708 if (!isxdigit((unsigned char)buf[0])) {
1709 PrintAndLog("File content error. '%s' must include 8 HEX symbols", buf);
1710 continue;
1711 }
1712
1713 buf[8] = 0;
1714
1715 if ( stKeyBlock - keycnt < 2) {
1716 p = realloc(keyBlock, 6*(stKeyBlock+=10));
1717 if (!p) {
1718 PrintAndLog("Cannot allocate memory for defaultKeys");
1719 free(keyBlock);
1720 fclose(f);
1721 return 2;
1722 }
1723 keyBlock = p;
1724 }
1725 memset(keyBlock + 4 * keycnt, 0, 4);
1726 num_to_bytes(strtoll(buf, NULL, 16), 4, keyBlock + 4*keycnt);
1727 PrintAndLog("chk custom pwd[%2d] %08X", keycnt, bytes_to_num(keyBlock + 4*keycnt, 4));
1728 keycnt++;
1729 memset(buf, 0, sizeof(buf));
1730 }
1731 fclose(f);
1732
1733 if (keycnt == 0) {
1734 PrintAndLog("No keys found in file");
1735 free(keyBlock);
1736 return 1;
1737 }
1738 PrintAndLog("Loaded %d keys", keycnt);
1739
1740 // loop
1741 uint64_t testpwd = 0x00;
1742 for (uint16_t c = 0; c < keycnt; ++c ) {
1743
1744 if (ukbhit()) {
1745 ch = getchar();
1746 (void)ch;
1747 printf("\naborted via keyboard!\n");
1748 free(keyBlock);
1749 return 0;
1750 }
1751
1752 testpwd = bytes_to_num(keyBlock + 4*c, 4);
1753
1754 PrintAndLog("Testing %08X", testpwd);
1755
1756 // Try each downlink_mode of asked to
1757 // donwlink_mode will = 0 if > 3 or set to 0, so loop from 0 - 3
1758 for (dl_mode = downlink_mode; dl_mode <= 3; dl_mode++)
1759 {
1760 if ( !AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, testpwd,dl_mode)) {
1761 PrintAndLog("Aquireing data from device failed. Quitting");
1762 free(keyBlock);
1763 return 0;
1764 }
1765
1766 found = tryDetectModulation();
1767
1768 if ( found ) {
1769 PrintAndLog("Found valid password: [%08X]", testpwd);
1770 free(keyBlock);
1771 // Add downlink mode to reference.
1772 switch (dl_mode) {
1773 case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break;
1774 case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break;
1775 case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break;
1776 case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break;
1777 }
1778 return 0;
1779 }
1780 if (!try_all_dl_modes) // Exit loop
1781 dl_mode = 4;
1782 }
1783 }
1784 PrintAndLog("Password NOT found.");
1785 free(keyBlock);
1786 return 0;
1787 }
1788
1789 if (use_range)
1790 {
1791 // incremental pwd range search
1792 // start_password = param_get32ex(Cmd, 0, 0, 16);
1793 // end_password = param_get32ex(Cmd, 1, 0, 16);
1794
1795 if ( start_password >= end_password ) {
1796 free(keyBlock);
1797 return usage_t55xx_bruteforce_downlink();
1798 }
1799 PrintAndLog("Search password range [%08X -> %08X]", start_password, end_password);
1800
1801 uint32_t i = start_password;
1802
1803 while ((!found) && (i <= end_password)) {
1804
1805 printf(".");
1806 fflush(stdout);
1807 if (ukbhit()) {
1808 ch = getchar();
1809 (void)ch;
1810 printf("\naborted via keyboard!\n");
1811 free(keyBlock);
1812 return 0;
1813 }
1814
1815 if (!AquireData(T55x7_PAGE0, T55x7_CONFIGURATION_BLOCK, true, i,downlink_mode)) {
1816 PrintAndLog("Aquireing data from device failed. Quitting");
1817 free(keyBlock);
1818 return 0;
1819 }
1820 found = tryDetectModulation();
1821
1822 if (found) break;
1823 i++;
1824 }
1825
1826 PrintAndLog("");
1827
1828 if (found) {
1829 PrintAndLog("Found valid password: [%08x]", i);
1830 // Add downlink mode to reference.
1831 switch (downlink_mode) {
1832 case 0 : PrintAndLog ("Downlink : e 0 - Default/Fixed Bit Length"); break;
1833 case 1 : PrintAndLog ("Downlink : e 1 - Long Leading Reference"); break;
1834 case 2 : PrintAndLog ("Downlink : e 2 - Leading Zero Reference"); break;
1835 case 3 : PrintAndLog ("Downlink : e 3 - 1 of 4 Coding"); break;
1836 }
1837 }
1838 else
1839 PrintAndLog("Password NOT found. Last tried: [%08x]", --i);
1840
1841 free(keyBlock);
1842 }
1843 return 0;
1844 }
1845
1846 // note length of data returned is different for different chips.
1847 // some return all page 1 (64 bits) and others return just that block (32 bits)
1848 // unfortunately the 64 bits makes this more likely to get a false positive...
1849 bool tryDetectP1(bool getData) {
1850 uint8_t preamble[] = {1,1,1,0,0,0,0,0,0,0,0,1,0,1,0,1};
1851 size_t startIdx = 0;
1852 uint8_t fc1 = 0, fc2 = 0, ans = 0;
1853 int clk = 0, firstClockEdge = 0;
1854 bool st = true;
1855
1856 if ( getData ) {
1857 if ( !AquireData(T55x7_PAGE1, 1, false, 0,0) )
1858 return false;
1859 }
1860
1861 // try fsk clock detect. if successful it cannot be any other type of modulation... (in theory...)
1862 ans = fskClocks(&fc1, &fc2, (uint8_t *)&clk, false, &firstClockEdge);
1863 if (ans && ((fc1==10 && fc2==8) || (fc1==8 && fc2==5))) {
1864 if ( FSKrawDemod("0 0", false) &&
1865 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1866 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1867 return true;
1868 }
1869 if ( FSKrawDemod("0 1", false) &&
1870 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1871 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1872 return true;
1873 }
1874 return false;
1875 }
1876
1877 // try psk clock detect. if successful it cannot be any other type of modulation... (in theory...)
1878 clk = GetPskClock("", false, false);
1879 if (clk>0) {
1880 // allow undo
1881 // save_restoreGB(1);
1882 // skip first 160 samples to allow antenna to settle in (psk gets inverted occasionally otherwise)
1883 //CmdLtrim("160");
1884 if ( PSKDemod("0 0 6", false) &&
1885 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1886 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1887 //save_restoreGB(0);
1888 return true;
1889 }
1890 if ( PSKDemod("0 1 6", false) &&
1891 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1892 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1893 //save_restoreGB(0);
1894 return true;
1895 }
1896 // PSK2 - needs a call to psk1TOpsk2.
1897 if ( PSKDemod("0 0 6", false)) {
1898 psk1TOpsk2(DemodBuffer, DemodBufferLen);
1899 if (preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1900 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1901 //save_restoreGB(0);
1902 return true;
1903 }
1904 } // inverse waves does not affect PSK2 demod
1905 //undo trim samples
1906 //save_restoreGB(0);
1907 // no other modulation clocks = 2 or 4 so quit searching
1908 if (fc1 != 8) return false;
1909 }
1910
1911 // try ask clock detect. it could be another type even if successful.
1912 clk = GetAskClock("", false, false);
1913 if (clk>0) {
1914 if ( ASKDemod_ext("0 0 1", false, false, 1, &st) &&
1915 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1916 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1917 return true;
1918 }
1919 st = true;
1920 if ( ASKDemod_ext("0 1 1", false, false, 1, &st) &&
1921 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1922 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1923 return true;
1924 }
1925 if ( ASKbiphaseDemod("0 0 0 2", false) &&
1926 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1927 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1928 return true;
1929 }
1930 if ( ASKbiphaseDemod("0 0 1 2", false) &&
1931 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1932 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1933 return true;
1934 }
1935 }
1936
1937 // try NRZ clock detect. it could be another type even if successful.
1938 clk = GetNrzClock("", false, false); //has the most false positives :(
1939 if (clk>0) {
1940 if ( NRZrawDemod("0 0 1", false) &&
1941 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1942 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1943 return true;
1944 }
1945 if ( NRZrawDemod("0 1 1", false) &&
1946 preambleSearchEx(DemodBuffer,preamble,sizeof(preamble),&DemodBufferLen,&startIdx,false) &&
1947 (DemodBufferLen == 32 || DemodBufferLen == 64) ) {
1948 return true;
1949 }
1950 }
1951 return false;
1952 }
1953 // does this need to be a callable command?
1954 int CmdT55xxDetectPage1(const char *Cmd){
1955 bool errors = false;
1956 bool useGB = false;
1957 bool usepwd = false;
1958 uint32_t password = 0;
1959 uint8_t cmdp = 0;
1960
1961 while(param_getchar(Cmd, cmdp) != 0x00 && !errors) {
1962 switch(param_getchar(Cmd, cmdp)) {
1963 case 'h':
1964 case 'H':
1965 return usage_t55xx_detectP1();
1966 case 'p':
1967 case 'P':
1968 password = param_get32ex(Cmd, cmdp+1, 0, 16);
1969 usepwd = true;
1970 cmdp += 2;
1971 break;
1972 case '1':
1973 // use Graphbuffer data
1974 useGB = true;
1975 cmdp++;
1976 break;
1977 default:
1978 PrintAndLog("Unknown parameter '%c'", param_getchar(Cmd, cmdp));
1979 errors = true;
1980 break;
1981 }
1982 }
1983 if (errors) return usage_t55xx_detectP1();
1984
1985 if ( !useGB ) {
1986 if ( !AquireData(T55x7_PAGE1, 1, usepwd, password,0) )
1987 return false;
1988 }
1989 bool success = tryDetectP1(false);
1990 if (success) PrintAndLog("T55xx chip found!");
1991 return success;
1992 }
1993
1994 static command_t CommandTable[] = {
1995 {"help", CmdHelp, 1, "This help"},
1996 {"bruteforce",CmdT55xxBruteForce,0, "<start password> <end password> [i <*.dic>] Simple bruteforce attack to find password"},
1997 {"bruteforcedl",CmdT55xxBruteForce_downlink,0, "r <start password> <end password> [i <*.dic>] [e <downlink>] Simple bruteforce attack to find password"},
1998 {"config", CmdT55xxSetConfig, 1, "Set/Get T55XX configuration (modulation, inverted, offset, rate)"},
1999 {"detect", CmdT55xxDetect, 1, "[1] Try detecting the tag modulation from reading the configuration block."},
2000 {"p1detect", CmdT55xxDetectPage1,1, "[1] Try detecting if this is a t55xx tag by reading page 1"},
2001 {"read", CmdT55xxReadBlock, 0, "b <block> p [password] [o] [1] -- Read T55xx block data. Optional [p password], [override], [page1]"},
2002 {"resetread", CmdResetRead, 0, "Send Reset Cmd then lf read the stream to attempt to identify the start of it (needs a demod and/or plot after)"},
2003 {"write", CmdT55xxWriteBlock,0, "b <block> d <data> p [password] [1] -- Write T55xx block data. Optional [p password], [page1]"},
2004 {"trace", CmdT55xxReadTrace, 1, "[1] Show T55x7 traceability data (page 1/ blk 0-1)"},
2005 {"info", CmdT55xxInfo, 1, "[1] Show T55x7 configuration data (page 0/ blk 0)"},
2006 {"dump", CmdT55xxDump, 0, "[password] [o] Dump T55xx card block 0-7. Optional [password], [override]"},
2007 {"special", special, 0, "Show block changes with 64 different offsets"},
2008 {"wakeup", CmdT55xxWakeUp, 0, "Send AOR wakeup command"},
2009 {"wipe", CmdT55xxWipe, 0, "[q] Wipe a T55xx tag and set defaults (will destroy any data on tag)"},
2010 {NULL, NULL, 0, NULL}
2011 };
2012
2013 int CmdLFT55XX(const char *Cmd) {
2014 CmdsParse(CommandTable, Cmd);
2015 return 0;
2016 }
2017
2018 int CmdHelp(const char *Cmd) {
2019 CmdsHelp(CommandTable);
2020 return 0;
2021 }
Proxmark3 GIT tracking
Impressum, Datenschutz